SSL-busting code that threatened Lenovo users found in a dozen more apps

"What all these applications have in common is that they make people less secure."

The list of software known to use the same HTTPS-breaking technology recently found preinstalled on Lenovo laptops has risen dramatically with the discovery of at least 12 new titles, including one that's categorized as a malicious trojan by a major antivirus provider.

"What all these applications have in common is that they make people less secure through their use of an easily obtained root CA [certificate authority], they provide little information about the risks of the technology, and in some cases they are difficult to remove," Matt Richard, a threats researcher on the Facebook security team, wrote in Friday's post. "Furthermore, it is likely that these intercepting SSL proxies won't keep up with the HTTPS features in browsers (e.g., certificate pinning and forward secrecy), meaning they could potentially expose private data to network attackers. Some of these deficiencies can be detected by antivirus products as malware or adware, though from our research, detection successes are sporadic."

Komodia, a company that brazenly calls one of its software development kits as an "SSL hijacker," is able to bypass secure sockets layer protections by modifying the network stack of computers that run its underlying code. Specifically, Komodia installs a self-signed root CA certificate that allows the library to intercept encrypted connections from any HTTPS-protected website on the Internet. This behavior is by no means unique to Komodia, Superfish, or the other programs that use the SSL-breaking certificates. Antivirus apps and other security-related wares often install similar root certificates. What sets Komodia apart from so many others is its reuse of the same digital certificate across many different computers.

Researchers have already documented that the password protecting most or all of the Komodia certificates is none other than "komodia". It took Errata Security CEO and whitehat hacker Rob Graham only three hours to crack this woefully weak password. From there, he used the underlying private key in the Komodia certificate to create fake HTTPS-enabled websites for Bank of America and Google that were fully trusted by Lenovo computers. Despite the seriousness of Graham's discovery and the ease other security researchers had in reproducing his results, Superfish CEO Adi Pinhas issued a statement on Friday saying Superfish software posed no security risk.

According to Facebook's Richard, more than a dozen software applications other than Superfish use Komodia code. Besides Trojan.Nurjax, the programs named included:

CartCrunch Israel LTD

WiredTools LTD

Say Media Group LTD

Over the Rainbow Tech

System Alerts

ArcadeGiant

Objectify Media Inc

Catalytix Web Services

OptimizerMonitor

A security researcher who goes by the Twitter handle @TheWack0lian said an additional piece of software known as SecureTeen also installed Komodia-enabled certificates. Over the weekend, the researcher also published findings documenting rootkit technology in Komodia code that allows it to remain hidden from key operating system functions.

Web searches for many of these titles uncover forum posts in which computer users complain that some of these applications are hard to remove once they're installed. Richard noted that he was unable to find documentation from any of the publishers explaining what effect Komodia software had on end-user PCs such as its ability to sniff passwords and other sensitive data from encrypted Web sessions.

Further Reading

Richard went on to publish the SHA1 cryptographic hashes he used to identify software that contained the Komodia code libraries. He invited fellow researchers to use the hashes to identify still more potentially dangerous software circulating online.

"We're publishing this analysis to raise awareness about the scope of local SSL MITM software so that the community can also help protect people and their computers," he wrote. "We think that shining the light on these practices will help the ecosystem better analyze and respond to similar situations as they occur."

Promoted Comments

I haven't actually checked root certificates that get installed as a result of AV software. Can any Ars readers confirm that they use a unique key for each user?

If you double-click on the certificate (from the certlm snap-in to mmc), go to the Details tab and scroll down to take a look at the "Public key" property. There's also a much shorter "Thumbprint". (Right-clicking the cert and getting its properties that way doesn't show anything useful.)

I have half a dozen computers with Kaspersky Internet Security 2015 installed. Some of them have multiple "Kaspersky Anti-Virus Personal Root Certificate"s installed; the valid dates on them look to be from when I've uninstalled and reinstalled or installed an upgrade. Even on the same machine, each has a different thumprint and RSA 2048-bit public key (the keys all have the same first 9 bytes, but I'm pretty sure that's just a header identifying the key format).

Is this indicative of unique private keys, or could there still be a problem? Or is just having unique public keys all we need? (Can you even generate multiple public keys from one private key?)

(Actually trying to figure out a private key / password for them as was done with "komodia" is not something I'm going to try both for reasons of time and because I'm pretty sure I've reached my limits of competence here.)